So I transfer the XSS script from "Title" to "GameplayVersion". I decided to go this way, since in this case the content length of build's file does not change and it successfully passes the hash sum comparison.

5) Now we return to the dota2 client, click "Edit" and change anything in the our build and publish it again. And we see that the PUT request was successful and the XSS data in it is arranged the way we wanted:

6) Next i follow to the Dota2 Workshop Manager.

And here we see our public file ID. This connection with the public guide files I was found in the preparation of the previous report, but I did not know how to apply it (before today).

7) Put this FileID into a link below and we get the public infected page:

Thank you for your submission! Your report has been validated, and it has been submitted to the appropriate remediation team for review. They will let the HackerOne triage team know the final ruling on this report, and if/when a fix will be implemented. The HackerOne triage team will follow-up after the remediation team has assessed the impact of this report. Please note that the status and severity are subject to change.